[Secure-testing-commits] r42496 - data/CVE
Author: carnil Date: 2016-06-13 05:04:12 + (Mon, 13 Jun 2016) New Revision: 42496 Modified: data/CVE/list Log: Fix typo and clarify todo for libxslt issue Modified: data/CVE/list === --- data/CVE/list 2016-06-13 04:38:16 UTC (rev 42495) +++ data/CVE/list 2016-06-13 05:04:12 UTC (rev 42496) @@ -10938,7 +10938,7 @@ TODO: check CVE-2016-1841 (libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - libxslt - TODO: check, most likely *not* only Apple specific, but currelntly not enough public information available + TODO: check, most likely *not* only Apple specific, but currently not enough public information available to determine the fix CVE-2016-1840 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42495 - data/CVE
Author: carnil Date: 2016-06-13 04:38:16 + (Mon, 13 Jun 2016) New Revision: 42495 Modified: data/CVE/list Log: Cleanup version entry Modified: data/CVE/list === --- data/CVE/list 2016-06-13 04:38:06 UTC (rev 42494) +++ data/CVE/list 2016-06-13 04:38:16 UTC (rev 42495) @@ -2863,7 +2863,7 @@ CVE-2016-4472 RESERVED {DSA-3582-1 DLA-483-1} - - expat 2.1.1-2 + - expat 2.1.1-2 NOTE: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc CVE-2016-4471 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42494 - data/CVE
Author: carnil Date: 2016-06-13 04:38:06 + (Mon, 13 Jun 2016) New Revision: 42494 Modified: data/CVE/list Log: Expand note for CVE-2016-5361 Modified: data/CVE/list === --- data/CVE/list 2016-06-13 04:24:29 UTC (rev 42493) +++ data/CVE/list 2016-06-13 04:38:06 UTC (rev 42494) @@ -77,7 +77,10 @@ CVE-2016-5361 RESERVED - libreswan (bug #773459) - TODO: check other implementations, but CVE is assigned specific to libreswan + NOTE: Possibly the CVE should be rejected: http://www.openwall.com/lists/oss-security/2016/06/13/1 + NOTE: MITRE has not assigned the CVE to the protocol flaw, but specific to libreswan, but as + NOTE: Huzaifa Sidhpurwalapointed out that is not a libreswan issue, rather + NOTE: the protocol is flawed. CVE-2016-5360 [remote denial of service via reqdeny] RESERVED - haproxy 1.6.5-2 (bug #826869) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42493 - data/CVE
Author: carnil Date: 2016-06-13 04:24:29 + (Mon, 13 Jun 2016) New Revision: 42493 Modified: data/CVE/list Log: Two chicken CVEs fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-13 04:15:12 UTC (rev 42492) +++ data/CVE/list 2016-06-13 04:24:29 UTC (rev 42493) @@ -28436,7 +28436,7 @@ - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-4556 [buffer overrun in CHICKEN Scheme's string-translate* procedure] RESERVED - - chicken (bug #788833) + - chicken 4.10.0-1 (bug #788833) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) @@ -39760,7 +39760,7 @@ [wheezy] - patch (Support for git-style patches added in 2.7) [squeeze] - patch (Support for git-style patches added in 2.7) CVE-2014-9651 (Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, ...) - - chicken (bug #775346) + - chicken 4.10.0-1 (bug #775346) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42492 - data/CVE
Author: carnil Date: 2016-06-13 04:15:12 + (Mon, 13 Jun 2016) New Revision: 42492 Modified: data/CVE/list Log: Remove no-dsa tag entry for wheezy CVE-2015-7995/libxslt (is included in DLA) Modified: data/CVE/list === --- data/CVE/list 2016-06-12 21:42:01 UTC (rev 42491) +++ data/CVE/list 2016-06-13 04:15:12 UTC (rev 42492) @@ -18502,7 +18502,6 @@ CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does ...) - libxslt 1.1.28-2.1 (bug #802971) [jessie] - libxslt (Minor issue) - [wheezy] - libxslt (Minor issue) [squeeze] - libxslt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1257962 NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/10 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42491 - in data: . DLA
Author: pochu Date: 2016-06-12 21:42:01 + (Sun, 12 Jun 2016) New Revision: 42491 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-514-1 for libxslt Modified: data/DLA/list === --- data/DLA/list 2016-06-12 21:10:11 UTC (rev 42490) +++ data/DLA/list 2016-06-12 21:42:01 UTC (rev 42491) @@ -1,3 +1,6 @@ +[12 Jun 2016] DLA-514-1 libxslt - security update + {CVE-2015-7995 CVE-2016-1683 CVE-2016-1684} + [wheezy] - libxslt 1.1.26-14.1+deb7u1 [12 Jun 2016] DLA-513-1 nspr - security update {CVE-2016-1951} [wheezy] - nspr 2:4.9.2-1+deb7u4 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 21:10:11 UTC (rev 42490) +++ data/dla-needed.txt 2016-06-12 21:42:01 UTC (rev 42491) @@ -42,8 +42,6 @@ -- libstruts1.2-java (Thorsten Alteholz) -- -libxslt (Emilio Pozuelo) --- linux -- mat ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42490 - data/CVE
Author: sectracker Date: 2016-06-12 21:10:11 + (Sun, 12 Jun 2016) New Revision: 42490 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-06-12 20:28:44 UTC (rev 42489) +++ data/CVE/list 2016-06-12 21:10:11 UTC (rev 42490) @@ -36,6 +36,7 @@ RESERVED CVE-2016-5364 RESERVED + {DLA-512-1} - mantis NOTE: http://github.com/mantisbt/mantisbt/commit/5068df2d (1.2.x) NOTE: https://mantisbt.org/bugs/view.php?id=20956 @@ -10519,6 +10520,7 @@ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ CVE-2016-1951 RESERVED + {DLA-513-1} - firefox-esr 45.0esr-1 - firefox 45.0-1 - nspr 2:4.12-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42489 - data/CVE
Author: jmm Date: 2016-06-12 20:28:44 + (Sun, 12 Jun 2016) New Revision: 42489 Modified: data/CVE/list Log: shiro fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-12 17:38:11 UTC (rev 42488) +++ data/CVE/list 2016-06-12 20:28:44 UTC (rev 42489) @@ -2974,7 +2974,7 @@ CVE-2016-4438 RESERVED CVE-2016-4437 (Apache Shiro before 1.2.5, when a cipher key has not been configured ...) - - shiro (bug #826653) + - shiro 1.2.5-1 (bug #826653) [jessie] - shiro (Minor issue) CVE-2016-4436 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42488 - data
Author: jmm Date: 2016-06-12 17:38:11 + (Sun, 12 Jun 2016) New Revision: 42488 Modified: data/dsa-needed.txt Log: take libav Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-12 17:37:06 UTC (rev 42487) +++ data/dsa-needed.txt 2016-06-12 17:38:11 UTC (rev 42488) @@ -20,7 +20,7 @@ -- icu -- -libav +libav (jmm) Maintainer proposed debdiff -- libpdfbox-java ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42487 - data
Author: jmm Date: 2016-06-12 17:37:06 + (Sun, 12 Jun 2016) New Revision: 42487 Modified: data/dsa-needed.txt Log: take icedove Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-12 17:14:54 UTC (rev 42486) +++ data/dsa-needed.txt 2016-06-12 17:37:06 UTC (rev 42487) @@ -16,7 +16,7 @@ -- graphicsmagick (luciano) -- -icedove +icedove (jmm) -- icu -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42485 - data
Author: lamby Date: 2016-06-12 17:14:53 + (Sun, 12 Jun 2016) New Revision: 42485 Modified: data/dla-needed.txt Log: Triage libav for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 14:47:55 UTC (rev 42484) +++ data/dla-needed.txt 2016-06-12 17:14:53 UTC (rev 42485) @@ -32,6 +32,8 @@ -- imagemagick (Brian May) -- +libav +-- libjackson-json-java -- libspring-java ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42486 - data
Author: lamby Date: 2016-06-12 17:14:54 + (Sun, 12 Jun 2016) New Revision: 42486 Modified: data/dla-needed.txt Log: Claim libav in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 17:14:53 UTC (rev 42485) +++ data/dla-needed.txt 2016-06-12 17:14:54 UTC (rev 42486) @@ -32,7 +32,7 @@ -- imagemagick (Brian May) -- -libav +libav (Chris Lamb) -- libjackson-json-java -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42484 - data/CVE
Author: carnil Date: 2016-06-12 14:47:55 + (Sun, 12 Jun 2016) New Revision: 42484 Modified: data/CVE/list Log: mark salt as no-dsa for CVE-2016-3176 Modified: data/CVE/list === --- data/CVE/list 2016-06-12 14:47:47 UTC (rev 42483) +++ data/CVE/list 2016-06-12 14:47:55 UTC (rev 42484) @@ -6210,6 +6210,9 @@ CVE-2016-3176 [insecure configuration of PAM external authentication service] RESERVED - salt 2015.8.8+ds-1 (bug #819184) + [jessie] - salt (Minor issue; external_auth not by default usable) + NOTE: external_auth seems not usable by default under Jessie due to the + NOTE: permissions on /var/run/salt/master. NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html NOTE: https://github.com/saltstack/salt/pull/31826/commits/d73f70ebb289142e4f692359fe741a54f5d2ad65 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42483 - data
Author: carnil Date: 2016-06-12 14:47:47 + (Sun, 12 Jun 2016) New Revision: 42483 Modified: data/dsa-needed.txt Log: Remove salt from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-12 13:03:22 UTC (rev 42482) +++ data/dsa-needed.txt 2016-06-12 14:47:47 UTC (rev 42483) @@ -51,9 +51,6 @@ Waiting for upstream-blessed patch before going forward Triggering circumstances not common -- -salt - Testpackages: https://people.debian.org/~carnil/tmp/salt/jessie/ --- squid3 Santiago proposed a debdiff. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42482 - data/CVE
Author: carnil Date: 2016-06-12 13:03:22 + (Sun, 12 Jun 2016) New Revision: 42482 Modified: data/CVE/list Log: Add bug reference for iperf3 issue, #827116 Modified: data/CVE/list === --- data/CVE/list 2016-06-12 12:30:53 UTC (rev 42481) +++ data/CVE/list 2016-06-12 13:03:22 UTC (rev 42482) @@ -3307,7 +3307,7 @@ RESERVED CVE-2016-4303 [JSON parsing vulnerability] RESERVED - - iperf3 + - iperf3 (bug #827116) NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc CVE-2016-4302 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42481 - data/CVE
Author: carnil Date: 2016-06-12 12:30:53 + (Sun, 12 Jun 2016) New Revision: 42481 Modified: data/CVE/list Log: ffmpeg has same code in libavformat/mov.c, mark as unfixed Modified: data/CVE/list === --- data/CVE/list 2016-06-12 12:25:56 UTC (rev 42480) +++ data/CVE/list 2016-06-12 12:30:53 UTC (rev 42481) @@ -6588,11 +6588,10 @@ RESERVED CVE-2016-3062 RESERVED - - ffmpeg + - ffmpeg - libav NOTE: https://git.libav.org/?p=libav.git;a=commit;h=7e01d48cfd168c3dfc663f03a3b6a98e0ecba328 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=5fdcbc4a7cd81114a9f47bcb3040ca510bd6360d (11.7) - TODO: check ffmpeg CVE-2016-3061 RESERVED CVE-2016-3060 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42480 - data/CVE
Author: carnil Date: 2016-06-12 12:25:56 + (Sun, 12 Jun 2016) New Revision: 42480 Modified: data/CVE/list Log: Add commit reference from master Modified: data/CVE/list === --- data/CVE/list 2016-06-12 12:25:12 UTC (rev 42479) +++ data/CVE/list 2016-06-12 12:25:56 UTC (rev 42480) @@ -6590,6 +6590,7 @@ RESERVED - ffmpeg - libav + NOTE: https://git.libav.org/?p=libav.git;a=commit;h=7e01d48cfd168c3dfc663f03a3b6a98e0ecba328 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=5fdcbc4a7cd81114a9f47bcb3040ca510bd6360d (11.7) TODO: check ffmpeg CVE-2016-3061 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42479 - data
Author: carnil Date: 2016-06-12 12:25:12 + (Sun, 12 Jun 2016) New Revision: 42479 Modified: data/dsa-needed.txt Log: Add libav to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-12 12:24:01 UTC (rev 42478) +++ data/dsa-needed.txt 2016-06-12 12:25:12 UTC (rev 42479) @@ -20,6 +20,9 @@ -- icu -- +libav + Maintainer proposed debdiff +-- libpdfbox-java Maintainer proposed debdiff, but first wait a bit for the upload in unstable to be tested/exposed for possible regressions. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42478 - data/CVE
Author: carnil Date: 2016-06-12 12:24:01 + (Sun, 12 Jun 2016) New Revision: 42478 Modified: data/CVE/list Log: Add CVE-2016-3062/libav Modified: data/CVE/list === --- data/CVE/list 2016-06-12 12:05:27 UTC (rev 42477) +++ data/CVE/list 2016-06-12 12:24:01 UTC (rev 42478) @@ -6588,6 +6588,10 @@ RESERVED CVE-2016-3062 RESERVED + - ffmpeg + - libav + NOTE: https://git.libav.org/?p=libav.git;a=commit;h=5fdcbc4a7cd81114a9f47bcb3040ca510bd6360d (11.7) + TODO: check ffmpeg CVE-2016-3061 RESERVED CVE-2016-3060 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42477 - data
Author: apo Date: 2016-06-12 12:05:27 + (Sun, 12 Jun 2016) New Revision: 42477 Modified: data/dla-needed.txt Log: Claim roundcube in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 11:04:09 UTC (rev 42476) +++ data/dla-needed.txt 2016-06-12 12:05:27 UTC (rev 42477) @@ -71,10 +71,7 @@ NOTE: see dsa-needed's notes. NOTE: Maintainer's answer: https://lists.debian.org/msgid-search/878tzv6pru@mid.deneb.enyo.de -- -roundcube - NOTE: Partly affected by CVE-2016-4068. Check if other issues apply too. - NOTE: One maintainer suggests to update to the stable 1.0.x branch - NOTE: https://lists.debian.org/debian-lts/2016/05/msg00016.html +roundcube (Markus Koschany) -- ruby-actionpack-3.2 (Guido Günther) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42476 - in data: . DLA
Author: lamby Date: 2016-06-12 11:04:09 + (Sun, 12 Jun 2016) New Revision: 42476 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-513-1 for nspr Modified: data/DLA/list === --- data/DLA/list 2016-06-12 10:52:46 UTC (rev 42475) +++ data/DLA/list 2016-06-12 11:04:09 UTC (rev 42476) @@ -1,3 +1,6 @@ +[12 Jun 2016] DLA-513-1 nspr - security update + {CVE-2016-1951} + [wheezy] - nspr 2:4.9.2-1+deb7u4 [12 Jun 2016] DLA-512-1 mantis - security update {CVE-2016-5364} [wheezy] - mantis 1.2.18-1+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 10:52:46 UTC (rev 42475) +++ data/dla-needed.txt 2016-06-12 11:04:09 UTC (rev 42476) @@ -48,8 +48,6 @@ -- mysql-connector-java -- -nspr (Chris Lamb) --- nss NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the diff between NSS 3.22 and 3.23 is very large. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42475 - in data: . DLA
Author: lamby Date: 2016-06-12 10:52:46 + (Sun, 12 Jun 2016) New Revision: 42475 Modified: data/DLA/list data/dla-needed.txt Log: Claim DLA-512 for mantis Modified: data/DLA/list === --- data/DLA/list 2016-06-12 09:29:50 UTC (rev 42474) +++ data/DLA/list 2016-06-12 10:52:46 UTC (rev 42475) @@ -1,3 +1,6 @@ +[12 Jun 2016] DLA-512-1 mantis - security update + {CVE-2016-5364} + [wheezy] - mantis 1.2.18-1+deb7u1 [11 Jun 2016] DLA-511-1 libtorrent-rasterbar - security update {CVE-2016-5301} [wheezy] - libtorrent-rasterbar 0.15.10-1+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-12 09:29:50 UTC (rev 42474) +++ data/dla-needed.txt 2016-06-12 10:52:46 UTC (rev 42475) @@ -44,8 +44,6 @@ -- linux -- -mantis (Chris Lamb) --- mat -- mysql-connector-java ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42474 - data
Author: carnil Date: 2016-06-12 09:29:50 + (Sun, 12 Jun 2016) New Revision: 42474 Modified: data/dsa-needed.txt Log: Add icedove to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-12 05:37:41 UTC (rev 42473) +++ data/dsa-needed.txt 2016-06-12 09:29:50 UTC (rev 42474) @@ -16,6 +16,8 @@ -- graphicsmagick (luciano) -- +icedove +-- icu -- libpdfbox-java ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits